Definitions for various roles of the NSX Advanced Load Balancer are detailed in this section.

Network Project

The Role Definition (list of permissions included for a role) for the network project role, the service engine project role, and the storage project role are tabulated here:

Permissions

Role Definition Files

compute.networks.get compute.networks.list compute.networks.updatePolicy compute.regions.get compute.routes.create compute.routes.delete compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use

network_project_role.yaml

Service Engine Project

Permissions

Role Definition Files

compute.disks.create compute.forwardingRules.get compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.list compute.globalOperations.get compute.images.create compute.images.delete compute.images.get compute.images.list compute.images.setLabels compute.images.useReadOnly compute.instances.create compute.instances.delete compute.instances.get compute.instances.list compute.instances.setLabels compute.instances.setMetadata compute.instances.setTags compute.instances.use compute.machineTypes.get compute.regionOperations.get compute.regions.get compute.regions.list compute.targetPools.addInstance compute.targetPools.create compute.targetPools.delete compute.targetPools.get compute.targetPools.list compute.targetPools.removeInstance compute.targetPools.use compute.zoneOperations.get compute.zones.list

service_engine_project_role.yaml

GCP Instance Group Autoscaling Service Engine Project

Permissions

Role Definition Files

pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy

autoscaling_service_engine_project_role.yaml

ILB, BYOIP Service Engine Project

Permissions

Role Definition Files

compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.setLabels compute.addresses.use compute.addresses.useInternal compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.get compute.healthChecks.list compute.healthChecks.update compute.healthChecks.use compute.healthChecks.useReadOnly compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.regionBackendServices.create compute.regionBackendServices.delete compute.regionBackendServices.get compute.regionBackendServices.list compute.regionBackendServices.setSecurityPolicy compute.regionBackendServices.update compute.regionBackendServices.use

ilb_service_engine_project_role.yaml

Storage Project

Permissions

Role Definition Files

storage.buckets.create storage.buckets.delete storage.objects.create storage.objects.delete storage.objects.list

storage_project_role.yaml

GCP Instance Group Autoscaling Server Project

Permissions

Role Definition Files

compute.instanceGroupManagers.list

compute.instanceGroups.get

compute.instanceGroups.list

compute.instances.get

compute.instances.list

compute.projects.get

logging.sinks.create

logging.sinks.delete

logging.sinks.get

logging.sinks.list

logging.sinks.update

server_project_role.yaml

Cluster IP

Permissions

Role Definition Files

compute.instances.get compute.instances.list compute.instances.updateNetworkInterface

cluster_vip_role.yaml

Service Account Project

Permissions

Role Definition Files

compute.instances.setServiceAccount

iam.serviceAccountUser

Pre-created in GCP

Creating Roles in GCP

You can create custom roles either by using the gcloud command-line tool or the GCP console.